bug #7833: submitters can access see any registration in any RegistrationWorkingSet - Edit - Redmine

bug #7833

submitters can access see any registration in any RegistrationWorkingSet

Added by Andreas Kohlbecker 5 months ago. Updated 3 months ago.

Status:

Closed

Priority:

New

Assignee:

Andreas Kohlbecker

Category:

cdm-vaadin

Target version:

Release 5.5

Start date:

10/17/2018

Due date:

% Done:

100%

Severity:

normal

Found in Version:

Tags:

security phycobank

Description

Submitters can access any RegistrationWorkingSet where the registrations are all visible.
Registrations where the submitter is not the Registration.submitter should be hidden though.

The submitter can search for the reference via the "New Registration" view where existing publications can be selected.
. Clicking on "Continue" will get the submitter to the according RegistrationWorkingSetView where unpublished registrations can be visible. Seeing unpublished Registrations is ok as far as the publication has been published in the past!

Conclusion:

Unpublished references must be hidden from the select in the "New Registration"
RegistrationWorkingSet Unpublished references must only be accessible for submitters which have UPDATE permission | which are the creator ?? for this Reference.

Related issues

Associated revisions

Revision b32150b1 (diff)
Added by Andreas Kohlbecker 3 months ago

ref #7833 restricting access to RegistrationWorkingsetView:
- AccessRestrictedViewControlBean to evaluate AccessRestrictedView.isAccessDenied()
- refactoring AccessRestrictedView class hierarchy

Revision d81bb53b (diff)
Added by Andreas Kohlbecker 3 months ago

ref #7833 fixing inversly interpreted access denied

Revision 35a51c01 (diff)
Added by Andreas Kohlbecker 3 months ago

ref #7833 registration start view only shows references for which the user has permissions

Revision 99741bc0 (diff)
Added by Andreas Kohlbecker 3 months ago

ref #7833 registration start view excludes unpublished references

Revision 68369e5d (diff)
Added by Andreas Kohlbecker 3 months ago

ref #7833 another method for UserHelper to scan for permissions

Revision 9e57572e (diff)
Added by Andreas Kohlbecker 3 months ago

ref #7833 fixing null-view bug

Revision 51cc6f53 (diff)
Added by Andreas Kohlbecker 3 months ago

ref #7833 permission checking in RegistrationWorkingSetService

Revision 943dcf96 (diff)
Added by Andreas Kohlbecker 3 months ago

ref #7833 adding missing check for anonymous authentication tokens to CdmUserHelper

History

#1 Updated by Wolf-Henning Kusber 4 months ago

RegistrationWorkingSet Unpublished references must only be accessible for submitters which have UPDATE permission | which are the creator ?? for this Reference.

Comment: Yes, if the publication is unpublished = a new workingset for new names and types.
Problem: published references of basionyms or replacement names or even old species epithets, needet for an infraspecific epithet. If those are needed for other new registrations they might be necessary.

#2 Updated by Andreas Kohlbecker 3 months ago

Status changed from New to Feedback
Assignee changed from Andreas Kohlbecker to Wolf-Henning Kusber

Hallo Henning,

ich denke dieses Ticket sollten wir unbedingt noch lösen bevor wir externe Submitter zulassen.

Also highest und noch in diesem Release?

Andreas

#3 Updated by Wolf-Henning Kusber 3 months ago

Assignee changed from Wolf-Henning Kusber to Andreas Kohlbecker

Unpublished references must be hidden from the select in the "New Registration" makes sense.
Question (2): creator = person or working set submitter?
A content issue: An author might work on a second unpublished article on names of a first unpublished article.